Mozilla released Firefox 3.5.6 that fixes several security issues.
Privilege escalation via chrome window.opener
Location bar spoofing vulnerabilities
Security researcher Jonathan Morgan reported that when a page loaded over an insecure protocol, such as http: or file:, sets its document.location to a https: URL which responds with a 204 status and empty response body, the insecure page will receive SSL indicators near the location bar, but will not have its page content modified in any way. This could lead to a user believing they were on a secure page when in fact they were not.
NTLM reflection vulnerability
Security researcher Takehiro Takahashi of the IBM X-Force reported that Mozilla’s NTLM implementation was vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitary application via the browser. If an attacker could get a user to visit a web page he controlled he could force NTLM authenticated requests to be forwarded to another application on behalf of the user.
Integer overflow, crash in libtheora video library
Security researcher Dan Kaminsky reported an integer overflow in the Theora video library. A video’s dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim’s computer.
Memory safety fixes in liboggplay media library
Mozilla discovered several bugs in liboggplay which posed potential memory safety issues. The bugs which were fixed could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer.
Crashes with evidence of memory corruption (rv:18.104.22.168/ 22.214.171.124)
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.